Thursday, 4 October 2012

Basic concept of cryptographic signatures

"Electronic signature" may sometimes mistakenly be used to refer to cryptographic signatures: a piece of data included with a message that uses cryptographic methods to assure, at the least, both message integrity and authenticity. Cryptographic signatures are themselves a common feature of many larger systems or standards for electronically "signing" a message or contract.
Another common term for cryptographic signature is digital signature; the similarity of the term to "electronic signature" can invite confusion, which is why for this article cryptographic is used.
For an example of a cryptographic signature, a proposed purchase order accepted by a vendor and returned via email to the purchaser after being digitally signed. In fact, in modern practice, a digital signature of some text is always electronically processed in some sense, for the cryptographic mechanisms are impracticable without computers. In theory however, this is not required. Because of the use of message integrity mechanisms, any changes to a digitally signed document will be readily detectable if tested for, and the attached signature cannot then be taken as valid.
It is important to understand the cryptographic signatures are much more than an error checking technique akin to checksum algorithms, or even high reliability error detection and correction algorithms such as Reed-Solomon. These can offer no assurance that the text has not been tampered with, as all can be regenerated as needed by a tamperer. In addition, no message integrity protocols include error correction, for to do so would destroy the tampering detection feature.
Popular electronic signature standards include the OpenPGP standard supported by PGP and GnuPG, and some of the S/MIME IETF standards. All current cryptographic digital signature schemes require that the recipient have a way to obtain the sender's public key with assurances of some kind that the public key and sender identity properly belong together, and that message integrity measures (also digital signatures) which assure that neither the attestation nor the value of the public key can be surreptitiously changed. A secure channel is not typically required.
A digitally signed text may also be encrypted for protection during transmission, but this is not required when most digital signature protocols have been properly carried out. Confidentiality requirements will be the guiding consideration.
Print Page

No comments:

Post a Comment